|
@@ -7635,18 +7635,19 @@ function dol_htmlwithnojs($stringtoencode, $nouseofiframesandbox = 0, $check = '
|
|
|
} while ($oldstringtoclean != $out);
|
|
|
|
|
|
// Check the limit of external links that are automatically executed in a Rich text content. We count:
|
|
|
- // '<img' to avoid <img src="http...">
|
|
|
+ // '<img' to avoid <img src="http...">, we can only accept "<img src="data:..."
|
|
|
// 'url(' to avoid inline style like background: url(http...
|
|
|
// '<link' to avoid <link href="http...">
|
|
|
$reg = array();
|
|
|
- preg_match_all('/(<img|url\(|<link)/i', $out, $reg);
|
|
|
- $nbextlink = count($reg[0]);
|
|
|
- if ($nbextlink > getDolGlobalInt("MAIN_SECURITY_MAX_IMG_IN_HTML_CONTENT", 1000)) {
|
|
|
+ $tmpout = preg_replace('/<img src="data:/mi', '<__IMG_SRC_DATA__ src="data:', $out);
|
|
|
+ preg_match_all('/(<img|url\(|<link)/i', $tmpout, $reg);
|
|
|
+ $nblinks = count($reg[0]);
|
|
|
+ if ($nblinks > getDolGlobalInt("MAIN_SECURITY_MAX_IMG_IN_HTML_CONTENT", 1000)) {
|
|
|
$out = 'ErrorTooManyLinksIntoHTMLString';
|
|
|
}
|
|
|
//
|
|
|
if (!empty($conf->global->MAIN_DISALLOW_URL_INTO_DESCRIPTIONS) || $check == 'restricthtmlnolink') {
|
|
|
- if ($nbextlink > 0) {
|
|
|
+ if ($nblinks > 0) {
|
|
|
$out = 'ErrorHTMLLinksNotAllowed';
|
|
|
}
|
|
|
}
|